Hello community,
I’m new with mikrotik and I have bought L009UiGS-RM router and configure it with some info from internet to have it the most secure it can be for my small company.
Can you please take a look and check that with this configuration there is nothing to be wary about ? Specially firewall rules
[admin@] > export
# 2024-07-13 09:01:40 by RouterOS 7.15.2
#
#
# model = L009UiGS
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=sfp1
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes port=2200
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system identity
set name=name
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.task.gda.pl
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
[admin@] >
(1) I am not sure you can disable all the ethernet ports and then expect to use them on the bridge?? /interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
(2) Since ipv6 is disabled remove all the firewall rules and lists associated, to clean up the config.
(3) To be consistent with your policy of security recommend the following.
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN add name=Management
/ip neighbor discovery-settings
set discover-interface-list**=Management**
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
add interface=bridge list=Management
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address disabled=yes
set ssh disabled=yes port=2200
set api disabled=yes
set api-ssl disabled=yes
So in summary it should be like that.
With your suggestion we are removing this rules from firewall:
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Second one above in chain forward, understand that last one will take over (add action=drop chain=forward comment=“drop all else”)
But first one above in chain input, why we are removing ?
[admin@] > export
# 2024-07-13 09:01:40 by RouterOS 7.15.2
#
#
# model = L009UiGS
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Management
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=Management
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
add interface=bridge list=Management
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=sfp1
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="admin access" in-interface-list=Management src-address-list=Authorized
add action=accept chain=input comment="users to services only" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services only" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { put this rule in last to avoid getting locked out }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="drop all else"
/ip firewall address-list
add address=192.168.88.XY list=Authorized comment="admin device 1"
add address=192.168.88.AB list=Authorized comment="admin device 2"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address disabled=yes
set ssh disabled=yes port=2200
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=name
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.task.gda.pl
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
[admin@] >
Because we want to limit access to those that can reach winbox for configuring the router.
If you let every tom dick and harry access the input chain ( aka the entire LAN access the input chain) then you have defeated one of the purposes of security and input chain.
Its okay for a startup first config, because the admin can access what he needs.
Thus we only allow admins full access and the users on the LAN really normally only need access to router DNS services and sometimes router NTP services.
For one house the internal LAN security based on IP is excessive and useless.
Do all the guests you have at home try to modify your router?
At most dedicate a port exclusively to the MGMT,
in which you must use a VLAN,
have a specific MAC address
and use IPSec & co.
all to connect at the end via SSH with a certificate
to enable the connection with winbox within a second
with username “admin” and without password…
If some hacker connect outside to your wifi, why is on same network of other devices?
Is easy to test all IPs for find what have the access to winbox…
Must be created a separate group for guests with no access at all, not based on IP…
For complete security of the administrative interface, only one real ethernet port should be dedicated to it, only for this purpose, and without wifi access.
If someone sneaks into your home, accessing your router is the least of your worries…
Excessive but at no extra cost. In fact free advice
I always assume, rightly or wrongly, that friends come over to use the internet, then its your kids and then kids friends and then you have multiple vlans etc etc.
This sets one up from the getgo with a solid process
We agree to disagree…
If not, then we need to have a discourse in person, and of course, you will pay my air fare.
BAD HABIT to disable IPv6:
Disabling it does not mean that it does not transit in the network.
However, firewall rules should not be deleted: In case of accidental activation or for an update, the device would no longer be protected.
BAD HABIT to disable physical ports: (yes, you can disable ALL of them and the software doesn’t prevent it)
What if you accidentally turn off ether2? You have to netinstall or reset the device (and if protected routerboot is on???..).
What if ether2 breaks for some reason? You have to netinstall or reset the device (and if protected routerboot is on???..).
And the worst: if the only active one was ether1 and it breaks, you must throw the router away, since you can no longer do the netinstall, so no longer access the device on any way (no matter if you know the seconds for reset on protected: you can not netinstall the device…)…
(except if you spend money to repair it, unless it is worth getting a new one)
These are all choices that seem smart, but are actually ridiculous.
I would also add that it is wrong to leave only one administrative way.
The router L009UiGS-RM has a serial port, so if necessary you can access it from there (but you must have a PC with serial port and the serial cable).
But in routers that do not have it, it is wrong to disable everything else except WinBox.
Suppose that by mistake or for some error it is disabled or put on a badly written IP that you do not remember…
Again you have to reset or netinstall the device to change its configuration…
100% agree for the same reason. That’s why @anav, you should stop recommending people to remove the defconf IPv6 firewall rules. You are a valuable member with great knowledge and respected by everyone, so such recommendation coming from your aversion to IPv6 might lead to future unsecured configurations on other people’s devices.
Thanks all for your comments and thoughts.This router is not at home, it is placed in small company withing 20 machines.
I see that discussion get to hot level
Then looks that I will just leave IPV6 configuration and adjust IP firewall rules.
Regarding managment, whatever I do there is a console port so I can always connect and change settings, there is nothing to be worry about.
I will leave access from www and winbox with restriction from local network, I have change user and set up secure password.
I know I have a bias but it has nothing to do with my suggestion… Personally I remove all and put ipv6 forward chain and input chain DROP ALL.
I will amend my future suggestions appropriately… TO:
(1) Ensure IPV6 is disabled.
(2) Copy current default ipv6 rules and lists to a file, on your computer and store for potential future use.
(3) Use only two rules for IPV6 add chain=input action=drop
add chain=forward action=drop
In this way during some udpate or some change or accident, and IPV6 is enabled, the router is secure.
I cannot condone useless config lines present, should be clean lean and mean. simple clear, no extra … Noise hurts my ears and noise is polluting and unused config is noise.
Generally speaking the input chain is traffic to the router and thus it should have no bearing on your access to the internet.
However, part of the access to the router required for internet is DNS and that can be a service on the router.
Tis why I put these rules in place. add action=accept chain=input comment=“users to services only” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services only” in-interface-list=LAN dst-port=53 protocol=tcp
The bigger problem is you failed to follow clear and simple setup that
a. put each chains rules together for easy reading, logical flow sequence and ease of troubleshooting.
b. completely missed the set of rules above…
Aside from what @anav posted, you should also reenable the rule that allows ICMP traffic on the input chain. Read up on Path MTU Discovery / PMTUD for the reasons why ICMP should not be blocked!
Thanks @anav for all your support and thoughts, appreciate it ! Of course all others too.
In deed I have missed these two important entry’s, not sure why, now works like it should. Problem was with DNS so that’s why these entry’s ware needed. I should get to this point by my self.
Concur its a very logical process, but dont feel alone, its taken my years, being completely untrained to get to this point. Just be aware that the router provides services and they are accessed via the input chain rules. The default rules in MT allow LAN to the input chain aka to the router with no limitations and thus things work out of the box.
When the admin wants to limit access to config the router to only himself, then you cannot allow the LAN complete access and we narrow it down to what is needed which is DNS services on the router and sometimes NTP as well.
I placed them after this one:
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
I would put them after the icmp rule, personal preference.
One allows a user to handshake with the router
The other allows the user to access the router services such as DNS and winbox
might lead to future unsecured configurations on other people’s devices.